Late-Night Hearing on CCPA Amendments Delivers Mixed Bag

Privacy and Data Security

In a late-night hearing on Tuesday, the California State Senate’s Judiciary Committee deliberated on a suite of proposed amendments to the state’s comprehensive new privacy law, the California Consumer Privacy Act (CCPA). While none of the currently proposed amendments promise to restructure any of the CCPA’s core concepts, businesses currently developing their readiness programs have kept a close eye on certain helpful clarifications and exemptions in advance of the law’s looming implementation deadlines in 2020.

We gained a bit more clarity on Tuesday night. Here are the major developments:

  • The bill to explicitly exclude employment-related personal information (PI) from the CCPA, AB 25, passed unanimously, but with three important caveats. First, this exemption is subject to a one-year sunset provision. Second, businesses must still disclose the collection of employment-related PI. Third, such information remains subject to the CCPA’s data breach provisions. The modifications reflect labor interests’ concerns about employers surreptitiously monitoring their employees. The sunset in the bill forces stakeholders to stay at the table and find a longer-term solution.
  • The bill to explicitly permit loyalty programs notwithstanding the CCPA’s nondiscrimination protections, AB 846, passed unanimously, but with the added specification that businesses operating such programs cannot sell the data to third parties.
  • A bill that had been heavily backed by industry groups, AB 873, seeking to clarify the definition of “deidentified information” as utilized in the CCPA’s important exemption for such information, failed. The bill would have conformed the exemption to the Federal Trade Commission’s standard for deidentification, which requires that deidentified information be “reasonably” incapable of reassociation with an individual. Privacy activists argued the bill created a large loophole for unfettered use of information such as IP addresses that are still unique enough to be associated with individuals.
  • A bill specifically tailored to the automobile industry, AB 1146, passed unanimously. It creates an exception to a consumer’s right to opt out and right to delete as it relates to vehicle and ownership information shared between a car manufacturer and new car dealer for necessary warranty and recall repairs.
  • The committee passed AB 1564, the bill allowing online businesses to provide consumers only with an email address to exercise their CCPA rights, as opposed to also requiring a toll-free phone number.

For businesses hoping that the proposed CCPA amendments would offer clarity on the more ambiguous aspects of the law, the results of Tuesday’s session are a mixed bag. On one hand, businesses wondering whether they would need to comply with deletion requests from employees or nondiscrimination allegations relating to their loyalty programs will find some comfort that those important clarifications remain viable after the significant hurdle that the Senate Judiciary Committee presented. On the other hand, the current deidentification standard remains and leaves many real-world challenges unanswered. The clarifying bills that continued to move forward are those where compromise was struck between a variety of privacy advocates and business trade associations.

With the legislative session continuing until September 13, there are still opportunities for businesses and other interests to seek further compromises and amendments of provisions discarded on Tuesday or new concepts altogether. Of course, there are also opportunities for opponents to try to defeat the measures in the Senate. What is clear, however, is that the legislative desire for political consensus among stakeholders necessarily narrows the field of what is possible.

We will continue to monitor these developments closely to provide stakeholders with meaningful updates and insight as compliance deadlines draw increasingly closer.